will/adopt-a-street
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b3dc6087500545226c6c59b2e33a129b42d18b4f
adopt-a-street/backend/server.js
William Valentin b3dc608750 feat(backend): implement comprehensive security and validation 
Implement enterprise-grade security measures and input validation:

Security Features:
- Add Helmet.js for security headers (XSS, clickjacking, MIME protection)
- Implement rate limiting (5/15min for auth, 100/15min for API)
- Add Socket.IO JWT authentication middleware
- Fix JWT auth middleware (remove throw in catch, extend token to 7 days)
- Implement centralized error handling with AppError class
- Add CORS restrictive configuration

Input Validation:
- Add express-validator to all routes (auth, streets, tasks, posts, events, rewards, reports, users)
- Create comprehensive validation schemas in middleware/validators/
- Consistent error response format for validation failures

Additional Features:
- Add pagination middleware for all list endpoints
- Add Multer file upload middleware (5MB limit, image validation)
- Update .env.example with all required environment variables

Dependencies Added:
- helmet@8.1.0
- express-rate-limit@8.2.1
- express-validator@7.3.0
- multer@1.4.5-lts.1
- cloudinary@2.8.0

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-01 10:42:19 -07:00

142 lines
3.9 KiB
JavaScript
Raw Blame History

require("dotenv").config();
const express = require("express");
const mongoose = require("mongoose");
const cors = require("cors");
const http = require("http");
const socketio = require("socket.io");
const helmet = require("helmet");
const rateLimit = require("express-rate-limit");
const { errorHandler } = require("./middleware/errorHandler");
const socketAuth = require("./middleware/socketAuth");
const app = express();
const server = http.createServer(app);
const io = socketio(server, {
cors: {
origin: process.env.FRONTEND_URL || "http://localhost:3000",
methods: ["GET", "POST"],
credentials: true,
},
});
const port = process.env.PORT || 5000;
// Security Headers - Helmet
app.use(helmet());
// CORS Configuration
app.use(
cors({
origin: process.env.FRONTEND_URL || "http://localhost:3000",
credentials: true,
}),
);
// Body Parser
app.use(express.json());
// Rate Limiting for Auth Routes (5 requests per 15 minutes)
const authLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 5, // 5 requests per windowMs
message: {
success: false,
error: "Too many authentication attempts, please try again later",
},
standardHeaders: true,
legacyHeaders: false,
});
// General API Rate Limiting (100 requests per 15 minutes)
const apiLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // 100 requests per windowMs
message: {
success: false,
error: "Too many requests, please try again later",
},
standardHeaders: true,
legacyHeaders: false,
});
// MongoDB Connection
mongoose
.connect(process.env.MONGO_URI, {
useNewUrlParser: true,
useUnifiedTopology: true,
})
.then(() => console.log("MongoDB connected"))
.catch((err) => console.log("MongoDB connection error:", err));
// Socket.IO Authentication Middleware
io.use(socketAuth);
// Socket.IO Setup with Authentication
io.on("connection", (socket) => {
console.log(`Client connected: ${socket.user.id}`);
socket.on("joinEvent", (eventId) => {
socket.join(`event_${eventId}`);
console.log(`User ${socket.user.id} joined event ${eventId}`);
});
socket.on("joinPost", (postId) => {
socket.join(`post_${postId}`);
console.log(`User ${socket.user.id} joined post ${postId}`);
});
socket.on("eventUpdate", (data) => {
io.to(`event_${data.eventId}`).emit("update", data.message);
});
socket.on("disconnect", () => {
console.log(`Client disconnected: ${socket.user.id}`);
});
});
// Make io available to routes
app.set("io", io);
// Routes
const authRoutes = require("./routes/auth");
const streetRoutes = require("./routes/streets");
const taskRoutes = require("./routes/tasks");
const postRoutes = require("./routes/posts");
const commentsRoutes = require("./routes/comments");
const eventRoutes = require("./routes/events");
const rewardRoutes = require("./routes/rewards");
const reportRoutes = require("./routes/reports");
const badgesRoutes = require("./routes/badges");
const aiRoutes = require("./routes/ai");
const paymentRoutes = require("./routes/payments");
const userRoutes = require("./routes/users");
// Apply rate limiters
app.use("/api/auth/register", authLimiter);
app.use("/api/auth/login", authLimiter);
app.use("/api", apiLimiter);
// Routes
app.use("/api/auth", authRoutes);
app.use("/api/streets", streetRoutes);
app.use("/api/tasks", taskRoutes);
app.use("/api/posts", postRoutes);
app.use("/api/posts", commentsRoutes); // Comments are nested under posts
app.use("/api/events", eventRoutes);
app.use("/api/rewards", rewardRoutes);
app.use("/api/reports", reportRoutes);
app.use("/api/badges", badgesRoutes);
app.use("/api/ai", aiRoutes);
app.use("/api/payments", paymentRoutes);
app.use("/api/users", userRoutes);
app.get("/", (req, res) => {
res.send("Street Adoption App Backend");
});
// Error Handler Middleware (must be last)
app.use(errorHandler);
server.listen(port, () => {
console.log(`Server running on port ${port}`);
});
Reference in New Issue View Git Blame Copy Permalink